The discussion on mission

  • Security teams influence a mission:
    • Reducing risks
      • Avoiding undesirable future scenarios with impact.
      • Reducing risks imposed on customers / society.
    • Increasing trust
      • Improving perception of your organizations risks.
    • Complying with governance
      • Following laws, regulations, contracts, etc.
  • Security work comes in many different forms:
    • Business needs: Supporting or creating opportunities with the business.
    • Operations: Maintaining mitigation commitments
    • Engineering: Improving efficiency / effectiveness of mitigations, and the team.
    • Incidents and Unplanned Work: Working on surprises.

The discussion on security work

  • Security work can become imbalanced:
    • Fascinated with only risk, only trust, or only governance.
    • Drowning in unplanned work, unable to move forward.
  • Security work balances by making investments to avoid unplanned work:
    • Unplanned work is toilsome, but suggests areas for investment.
    • Business Projects and Operations reduce unplanned work, but are still a burden.
    • Engineering investments eliminated or reduce business projects and operations, and are desirable.

Caveats:

  • This is idealistic writing.
  • Organizational debts change everything.